Jenkins Pipeline Step: Node Security Project

How to configure Jenkins to automatically check your Node.JS projects dependencies against the Node Security Project

At HP, we make heavy use of Node.JS, and Jenkins for our build pipelines. We are also a security business, so any steps we can take to secure our code we take.

Subsequently I wanted to add a build pipeline step which automatically validated our packages, and their child dependencies against the Node Security Project which is a public list of known vulnerabilities in Node.JS modules. If a vulnerability was found obviously, I wanted to break the build.

Prerequisites

This can all be achieved relatively easily in Jenkins by making use of the Compiler Warnings plugin, so make sure you have this installed in Jenkins before we start.

You will also need to have the NSP module installed on your build server, easily done with npm install -g nsp.

Setting Up the Plugin

First things first, we need to configure the compiler warnings plugin. Basically, all this plugin does is scan your build log and attempts to match on a given RegEx. To configure the plugin, head over to your Jenkins Configuration page and scroll down to the Compiler Warnings section.

You want to create a new type of warning here with the following information:

Name: Node Security Project Vulnerabilities

Link Name: Node Security Project

Trend Report Name: Detected Vulnerabilities

Regular Expression: ([\w+-]+)\s+([\w\.-@]+)\s+>= *([\w\.-@]+)\s+(.*)

The mapping script is the part that takes the result from your RegEx and creates a hudson.plugins.warnings.parser.Warning object which Jenkins can recognize. Set it like this: